1e6b5d1de8ba51cbf5d94600d07923b165e2e92569d653c56152bbb81f726f39

Resubmissions

01-03-2022 08:14

01-03-2022 07:35

Target

sample.exe
Size

141KB
MD5

1c2af6c5e1b8b87189b5da7bd3cefe30
SHA1

6881acb4f1401f0db02bbebe82e2381a0b7c447d
SHA256

cf0705a3e4f3690e28184eb019a4940e7291ce5b3d52747ff80b72e90922a89b
SHA512

1f391111cbeb12f892c272076111a8317b98c9eda4bbf12eefb7a47bcc1a327b43310739a301718b700dc2ce28339b00533f2c9eda1f06ffff21f30d69ce6362

Score

3^/10

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

764 1476 WerFault.exe sample.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

WerFault.exe

pid process

764 WerFault.exe
764 WerFault.exe
764 WerFault.exe
764 WerFault.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

sample.exeWerFault.exe

description pid process

Token: SeDebugPrivilege 1476 sample.exe
Token: SeDebugPrivilege 764 WerFault.exe

pid	pid_target	process	target process
764	1476	WerFault.exe	sample.exe

description	pid	process
Token: SeDebugPrivilege	1476	sample.exe
Token: SeDebugPrivilege	764	WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

sample.exe

description	pid	process	target process
PID 1476 wrote to memory of 764	1476	sample.exe	WerFault.exe
PID 1476 wrote to memory of 764	1476	sample.exe	WerFault.exe
PID 1476 wrote to memory of 764	1476	sample.exe	WerFault.exe

memory/764-56-0x000007FEFC401000-0x000007FEFC403000-memory.dmp

Filesize
8KB

Download
memory/764-59-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/1476-54-0x00000000000E0000-0x000000000010A000-memory.dmp

Filesize
168KB

Download
memory/1476-55-0x000007FEF5EC3000-0x000007FEF5EC4000-memory.dmp

Filesize
4KB

Download
memory/1476-58-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/1476-57-0x000000001B050000-0x000000001B052000-memory.dmp

Filesize
8KB

Download